Erik Steffl wrote: > > sena wrote: > > > > On 12/12/2000 at 11:35 -0800, Erik Steffl wrote: > > > my point was that these options do not help in what I think is by far > > > most common situation. then again, I have no lies neither statistics to > > > support this:-) > > > > > > I mean the most common situations should be solved first, then special > > > cases. maybe I'm missing something but I can't find any docs on this... > > > > > I think the most _appropriate_ approach is to make things secure above all. > > That must be why X comes rootonly by default until someone changes it. Nice. > > that's the problem. the default is secure but the most typical (my > assessment) setup cannot be made secure as you have to let anybody run > X. what's the use of security measure that has to be disabled in most > cases?
The most typical (by my assessment) setup is where X is run via *dm. The "allowed_users=rootonly" option works fine for that (I've only tested it under gdm, but xdm and kdm should work the same). This is the default. The most typical power-user's setup is where X is run via startx. The "allowed_users=console" option works fine for that. These are power users, so changing the default should be no problem for them. I can't think of ANY setups where "allowed_users=console" gives insufficient access to the X server; just in case, there's an "allowed_users=anyone" option. I, for one, don't want anybody running X unless they're sitting in front of the box. Earlier in the thread, Erik Steffl also wrote: > I mean what's the point of having these options when basically only > 'anybody' is usable? I mean you dont' want to run X as root, that does > not make sense and if you run X most of the time (fairly common, > probably most common situation for machines whe X is installed) then it > makes sense to use xdm (or other *dm). X, by which I mean the program /usr/bin/X11/X is ALWAYS run as root. In fact it is setuid root to make sure of this. This is because it needs access to privileged hardware (and possible privileged ports too, I don't remember for sure). If you run gdm, X is even run BY root, since gdm is running as root. I assume the other *dm's are the same in this respect. This is why "allowed_users=rootonly" works in this case. Best of Luck, -Gleef
